Symmetrix

Start a Discussion
3 Silver

symauth and symacl questions

Hi,

I'm actually working for a customer wishing to secure it's VMAX environnement so that only those working with storage environnement  can actively administrate the storage array.  The request come from the fact that anyone logging onto management console having Solutions Enabler, will be able to execute commands on the array.

In order to secure the arrays from non-storage administrator, i have activated "symauth" in the following way:

-I create a Windows Domain account (D:) for each storage administrator in the authentification DB of each VMAX

-I have also created a local account on each console (in case the Windows Domain is not accessible)

--> I have enabled "symauth" in enhenced mode in order to limit access to only the users registered on each VMAX

Can anyone who used this fonctionnality able to tell me it is the right way to use it ?

Also, the customer has a AIX server that will be used to SNAP volumes from the VMAX and wish to limit it's access to only SE TF/SNAP operations.  I know i should use the "symacl" command to do so, but am unsure of where to start. I have 3 SE installed in the environnement, 2 are installed on management console and 1 is on AIX server.

-On the management consoles (Unisphere), should i leave the base configuration in place (UNKNOWN_GRP) ?  Or should i add new ACL and remove the base configuration ?

-What ACL configuration should i place on the AIX server ?

Thank you,

Christian

Solution (1)

Accepted Solutions
3 Argentum

The SYMACL should be configured using SYMMWIN. This is an online procedure and it wont take more than 2 minutes then like Saurabh said you continue working on the rest of configurations using SE.

For your questions regarding ACL on AIX server:

If you want to limit the use only to TF/SNAP then your configuration should be as follows (Assuming you've enabled it from SYMMWIN already):

For your ACE, you will need to assign at least BASE and SNAP permissions for your controlled devices “accpool” for your AIX server group “accgroup”.

grant access=BASE to accgroup “name” for accpool “name”;

grant access=SNAP to accgroup “name” for accpool “name”;

Alternatively, You can use the ALL devs instead of accpool but this is less restrictive.

grant access=BASE to accgroup “name” for ALL devs;

grant access= SNAP to accgroup “name” for ALL devs;

The managemnt Console should have ADMIN privillage as it will use (as per my understanding) to manage the whole symmetrix. I do not recommend mixing SYMAUTH and SYMACL on the same environment but i have seen configurations where both are implemented. It is up to your customer security policy but both can be configured on the same environment.

Let me Know if you have further questions

Mohammed Salem

View solution in original post

Community Accepted Solution
Replies (17)
4 Germanium

Please consider moving this question as-is (no need to recreate) to the proper forum for maximum visibility.  Questions written to the users' own "Discussions" space don't get the same amount of attention and questions can go unanswered for a long time.

You can do so by selecting "Move" under ACTIONS along the upper-right.  Then search for and select: "Symmetrix Support Forum" which would be the most relevant for this question.

4 Tellurium

symacl needs to be enable in the BIN and then configure through SE.

3 Argentum

The ACL helps to restrict for a server from where you would like to control the array irrelevant of the SYMAUTH.

If auth is configured then those user who got rights can do the administration from the servers configured with symacl.

Only symacl will put or give path to all the users on the system to do storage administration.

Hope the user account is unique to a person.

With the ACL you have to be cautious, if you forgot to add the newly created devices in user defined ACL groups / pools then you may end up troubleshooting.

Its you're choice to decide whether you need only SYMAUTH or both. Cause, I do not see a strong reason to use both.

3 Argentum

The SYMACL should be configured using SYMMWIN. This is an online procedure and it wont take more than 2 minutes then like Saurabh said you continue working on the rest of configurations using SE.

For your questions regarding ACL on AIX server:

If you want to limit the use only to TF/SNAP then your configuration should be as follows (Assuming you've enabled it from SYMMWIN already):

For your ACE, you will need to assign at least BASE and SNAP permissions for your controlled devices “accpool” for your AIX server group “accgroup”.

grant access=BASE to accgroup “name” for accpool “name”;

grant access=SNAP to accgroup “name” for accpool “name”;

Alternatively, You can use the ALL devs instead of accpool but this is less restrictive.

grant access=BASE to accgroup “name” for ALL devs;

grant access= SNAP to accgroup “name” for ALL devs;

The managemnt Console should have ADMIN privillage as it will use (as per my understanding) to manage the whole symmetrix. I do not recommend mixing SYMAUTH and SYMACL on the same environment but i have seen configurations where both are implemented. It is up to your customer security policy but both can be configured on the same environment.

Let me Know if you have further questions

Mohammed Salem

Community Accepted Solution

Hi,

Thank you for you answers.  I will continu working on this soon and will return if i have further questions.

Christian

Hi Mohammed,

Just to confirm, the symacl command is used to give or restrict access to a host, so do i need to be connected on that host in order to run the symacl command for that specific host ?

Thank you,

Christian

In order to run SYMACL commands you need to be connected to any SE host that has privileges to do so. You can create and edit new ACLs for any host from any management host that is permitted to do so. You do need to get the unique identifier of the specific host you would like you to create ACLs for directly from that host though. So if you need to create ACL rule for host B (which is currently not authorized) you would need to first log on to host B and run:

C:\>symacl -unique

The unique id for this host is: 2C5D07AF-54448CC9-9A3B7D7C

This gives you the unique identifier of that host. You would need to then go to another host that is currently authorized, lets say host A to create the ACLs for host B. You can then use host B to run commands allowed by the new ACLs.

Furthermore, by default any client that connects to that host B to issue SYMAPI calls remotely will inherit the ACLs of that server. But it can also be configured in a way for clients to have their own ACLs--this is non-default. Refer the Solutions Enabler guide for more information on that.

Hi Cody,

Thank you for you answer.  Following are some questions i have about this fonctionality.

From what Mohammed and you answered, i'm thinking that i could put more than one unique ID in the ACCGROUP, that is if the hosts have the same rights in the end.

--> Console 1 and console 2 are used to manage all VMAX environnement:

ACCGROUP:

add host accid xxxxxxxx-xxxxxxxx-xxxxxxxx name WITPP01CON33 to accgroup UNISPHERE;

add host accid xxxxxxxx-xxxxxxxx-xxxxxxxx name WITPP02CON33 to accgroup UNISPHERE;

ACE:

grant access=ADMIN to accgroup “UNISPHERE” for ALL devs;

Also, the documentation, mention to enter a PIN when you commit the creation of an ACCGROUP, do you know what this is about ?

The customer is also asking if for some reason a bad SYMACL change is done, if it can be simply de-activated, i guess so via EMC support (SYMMWIN) ?

And finaly, can you confirm me that the creation of ACL is done to secure hosts that are using SE only and will not cause interruption for the other hosts that are masked in the environnement ?

I know it's a lot of questions (first time using this functionality), but all the help you can give me will be very appreciated.

Christian

You're welcome!

Yes--you can add multiple identifiers to one access group--this is the preferred option in many cases. The mgmt guide talks about this in detail: https://support.emc.com/docu46983_Solutions-Enabler-Symmetrix-Array-Management-CLI--7.6-Product-Guid...

Q: Also, the documentation, mention to enter a PIN when you commit the creation of an ACCGROUP, do you know what this is about ?

A: The pin is created in SYMMWIN by PSE when enabling ACLs. This allows you to make changes to ACLs. We enforce the use of this to make sure ACLs are implemented properly with EMCs supervision/approval.


Q: The customer is also asking if for some reason a bad SYMACL change is done, if it can be simply de-activated, i guess so via EMC support (SYMMWIN) ?

A: You should always make sure a mgmt host is created that has the ability to undo changes that are incorrect or have unintended consequences. But yes, PSE has the ability to correct errors if they are unrecoverable by the customer. But we recommend that ACLs be carefully planned with EMC and the customer so this does not happen. Ensure careful change request procedures are created and followed.


Q: And finaly, can you confirm me that the creation of ACL is done to secure hosts that are using SE only and will not cause interruption for the other hosts that are masked in the environnement ?

A: ACLs will never interrupt normal host I/O in any situation. ACLs only prevent management changes but will never interfere with data access


Top Contributor
Latest Solutions